Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers

From URL to UR-Hell

Got Tips? 8 Reg comments
Emails seen leaking out of a computer

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed.

According to findings published Wednesday by Zach Edwards, of digital strategy firm Victory Medium, these businesses have spilled these contact details to advertising networks and the like over the past few years. Among those websites identified by Edwards – a group that also includes Mailchimp, The Washington Post, NGPVan.com, KongHQ, and GrowingChild.com – some promptly altered their websites when notified of the issue, but others have not.

And while this disclosure of email addresses to third parties may well be covered in high-level terms buried in corporations' privacy policies, it's a reminder of just how easy it is for websites to pass along your personal contact details in a blink of an eye without you realizing.

Netizens using web browsers that prioritize defenses against ad tracking, such as Brave, Firefox, and Safari, or who have installed suitable privacy extensions in other browsers, may have avoided having their email addresses spirited away.

How it happens

When someone tries to visit a page on a website – by clicking on a link or button, say – their browser constructs a HTTP request for that page, and sends it to the website. That request contains a URL address for the page, and this URL can contain information relevant to the request. The HTTP request also can contain what's called a referer header, which specifies the URL for the webpage you just visited.

Now imagine you click on a link to a webpage, and its URL contains your email address. Your browser requests and receives that webpage, which then tells your browser to automatically go fetch files, such as images and JavaScript code, from other websites. When your browser requests those follow-up files, the referer header in the HTTP requests will be the URL you just opened – which, don't forget, contains your email address. That webpage has now leaked your contact details to those other sites.

Quibi, the recently launched short video sharing app, was doing just that, said Edwards. When a new user signed up with an email address, that person received an email with an account creation confirmation link. Clicking on that link took the netizen to a webpage with the following URL, which contained their account email address:

https://quibi.com/email_verified/?email=user%40gmail.com&...

That verification page, when fetched, automatically reached out to other servers to request JavaScript code and other files – with that verification page's URL, containing the sign-up address, in the referer header of the HTTP requests. In effect, Quibi shared the user's email address in plaintext to ad partners, such as Google's DoubleClick, Google Tag Manager, Google Analytics, Facebook Analytics, Twitter, Snapchat, and others. Those websites would be able to link your interest in Quibi to your email address for the purpose of targeting you with tailored ads, for instance.

Quibi did not immediately respond to a request for comment. According to Edwards, the company is no longer spilling email addresses as described above. Quibi's privacy policy states it does share people's info with ad networks, though there's no specific mention of email addresses being shared in this way.

JetBlue, it's claimed, similarly leaked email addresses from a signup webpage, and was alerted to the shortcoming in March. "After being informed of the leak, JetBlue stated they would never do what they are doing because it would be against the law," Edwards said in his report.

The airline did not immediately respond to a request for comment. Again, like with Quibi, the privacy policy states email addresses may be disclosed for commercial purposes, though doesn't explicitly say how.

For the past two years, Wish.com has been transmitting millions of email addresses, in base64 encoding, which is not encryption, we're told.

"From July 2018 until January 2020 when this research was initially shared with Wish.com, Wish transmitted user emails to at least Google, Facebook, Pinterest, Criteo, PayPal and Stripe, and potentially other companies," Edwards said. Several thousand of these messages apparently have been cached by search engines such as URLscan.io.

Footprints sand photo via Shutterstock

You had one job, Cupertino: Apple's Intelligent Tracking Protection actually gets tracking protection

READ MORE

Glenn Lehrman, veep and head of communications at Wish.com, told The Register the company considers data protection and user trust a top priority. He said after receiving Edwards' report earlier this year, the biz made some changes, including adding encryption to protect user email addresses in transit.

Lehrman said he disagreed with Edwards' findings, noting that the websites receiving the email addresses act as service providers, performing advertising and sales support functions.

"Zach takes issue with the specific manner in which web referer data was encoded (into a non-human readable string) and surmises that large service providers theoretically could have first ingested and then taken steps to decode that data," said Lehrmann. "We have no reason to believe that occurred. Certainly, these companies had no reason to do so, and in any event, it certainly is not a 'breach' to provide a service provider with such encoded information."

Email addresses are considered Personally Identifiable Information under Europe's General Data Protection Regulation, Edwards told The Register. Exposing this data could pose problems to companies operating in Europe.

The California Consumer Privacy Act is less clear. "That's why Wish said all its ad tech partners were 'service providers' – this is the one opening in the CCPA to be able to share data this way," he added.

Even so, Edwards believes none of the organizations he identified made this data sharing sufficiently clear in their privacy policies.

Edwards said he doubts these leaks are accidental. "It’s definitely not an accident when most organizations do this," he said, noting that the practice is a widely known and heavily used "growth hack."

"It improves retargeting opportunities and improves attribution in analytics systems," he said. "Ad tech Companies like Adroll had a 'data shotgun' that grabbed emails in URls for years and this is a known strategy. Liveramp has a user graph with huge amounts of emails and tons of ad networks have email matching like Facebook Custom Audience. Email being pushed to ad networks is almost always on purpose and it's profitable for folks who do it." ®

Sponsored: Webcast: Ransomware has gone nuclear

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020